Re: [tlug] Monkey vs Apache!!! Fight!

[Sach Jobb <sach@example.com>]

> It is probably hard to get more information from this
> person, but what was he doing at the time?  With all these
> accesses, did he notice that his network light was flashing
> even though he wasn't doing anything (that happens to me
> sometimes, so I can't blame him if he didn't think anything
> of it...).  When you blocked his IP address, did he realize
> something was wrong?

Actually he was quite friendly, in fact he invited me to come over,
drink some beer and check it out myself. The thing is, even if I went,
I wouldn't be quite sure what I was looking for. He you have any ideas
I can probably test them out.

> I've worked on a web server before, but it probably can't
> protect itself from a DNS attack (or the unintentional
> equivalent).  Some sites I go to restrict concurrent
> accesses and if they exist, they lock the IP address
> automatically for a few days with a message to ask you to
> "fix your system"

My roomate and I once setup a monitor that looked a criterion.com once
and hour to see if the home page changed (it was basically just a
diff) and then it would email us if something changed. They banned our
IP and we could never get it unblocked.

> I guess you could monitor IP addresses and the web server's
> load and use some heuristic and an automated e-mail to the
> root user...

I did setup a slightly ghetto solution that does do something sort of
like that. Sends a warning when it gets busy, but at that point it's
basically already too late seeing as the whole thing happens in a
matter of seconds. I guess it's more like a message telling us to
restart the service because it's about to go down. I'm looking for a
more resilient solution.

Cheers,
Sach